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About this Guide 


About this Guide 


Welcome to Qualys Cloud Platform! In this guide, we'll show you how to set up your 
virtual appliance for Qualys Network Passive Sensor. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a 
founding member of the Cloud Security Alliance (CSA). 


For more information, please visit www.qualys.com. 


Contact Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access support information at www.qualys.com/support/. 
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Welcome to Qualys Network Passive Sensor 


With Qualys Network Passive Sensor (PS), you can automatically detect, and profile 
devices connected to your network, eliminating blind spots across your IT environment. 
Network Passive Sensor monitors network activity without any active probing of devices in 
order to detect active assets in your network. 


Virtual Appliance supports a maximum throughput of 3Gbps. It can be scaled up or down 
depending on the resources allocated to it. Refer to the Appendix section for more details. 


It's easy to set up a virtual appliance. We'll help you with the steps. 


Network requirements / configuration 


Bandwidth Minimum recommended bandwidth connection of 1 
Megabits per second (Mbps) to the Qualys Cloud Platform 
for a network containing around 10,000 assets. 


Appliance Access The Network Passive Sensor must be able to reach certain 
infrastructure located on the Qualys Cloud Platform 
where your Qualys account is located. The local network 
must be configured to allow outbound HTTPS (port 443) 
access to the Internet, so that the Network Passive Sensor 
can communicate with the Qualys Cloud Platform. 

Tip - Log into your account and go to Help » About to see 
the Qualys Cloud Platform URLs. 


DHCP or Static IP By default the Network Passive Sensor is pre-configured 
with DHCP. If configured with a static IP address, be sure 
you have the IP address, netmask, default gateway and 
primary DNS. 


Proxy Support The Network Passive Sensor includes Proxy support with 
or without authentication. Proxy-level termination (as 
implemented in SSL bridging, for example) is not 
supported. SOCKS proxies are not supported. 


Get Started 


Network Passive Sensor will start discovering assets on your network once you complete 
the setup. It takes just a couple of minutes. It's important that you complete the steps in 
the order shown. 
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Mirror the traffic 


You need to feed traffic to the appliance by mirroring the traffic (using physical tap or 
mirror port). Connect the mirrored port to the sniffing interface of the appliance. This step 
is required in order to see discovered assets. 


Network Passive Sensor supports mirror traffic of SPAN, RSPAN, and ERSPAN methods. For 
more information, refer to the Deployment Guide. 

Step 1 - Download Virtualization Image 

1) Log in to the Qualys UI and select Network Passive Sensor from the app picker. 

2) On the Home tab, scroll down and click Deploy Network Sensor. 


3) From the Sensors tab, go to New Sensor > Virtual Sensor and then click Download link 
from Deploy Image step of the New Virtual Sensor wizard. For VMWare ESXi, you can 
download the image (OVA file) to your local system. For Hyper-V, you can download zip file 
of the Hyper-V image. Click I Agree from Review and Agree to Virtual Scanner License 
popup. The image download will start. 


Step 2 - Generate Personalization Code 


You'll need a unique personalization code to register your appliance with the Qualys 
Cloud Platform. Follow these steps to generate a personalization code: 


1) Log in to the Qualys UI and select Network Passive Sensor from the app picker. 
On the Sensors tab, go to New Sensor > Virtual Sensor to register a new sensor. 


In the New Virtual Sensor wizard, provide a name for your sensor and the location. 
lick the Generate Code button. Copy the code and keep it handy. You’ll need it later. 


QW N 


Click Next to go to the Installation screen. If you have not downloaded image from 
ome screen, you'll be able to download it form there. 


TA 


5) Click Next to go to the Define Internal Assets screen. Here, you'll define the IP ranges 
within your network you want to monitor. The assets discovered for these IP addresses will 
be individually inventoried and tracked for traffic analysis. You can use default IP ranges 
or use customized IP ranges. Select Inventory these assets check box for marking 
inventoried assets. You'll be able to apply existing tags to these assets. To configure 
internal, external and excluded type of assets, refer Configure Assets. 


6) Click Finish to complete the registration steps. A pop up will be shown with Sensor not 
connected text. Now complete the next steps and the sensor status will change once 
registration is successful in Step 4 - Register the Virtual Appliance. 
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Step 3 - Deploy Virtualization Image 


You can deploy the image on the VMware ESXi or Microsoft Hyper-V. VMware ESXi or 
Microsoft Hyper-V monitors the network activity without any active probing of the device 
in order to detect the active assets on the network. It identifies the key device attributes 
that help the web services on the cloud to catalog the devices into operating 
system/hardware. 


Deployment on VMware ESXi 


ESXi server requirements: VMware ESXi 6.0 or later, 50 GB HDD, 16 GB Memory, Octa-Core 
Processor 
Follow these steps to deploy an image on ESXi server: 


1) Login to your ESXi Server, and go to Virtual Machines > Create/Register VM. It will open 
New Virtual Machine wizard. 


2) For creation type, choose Deploy a virtual machine from an OVF or OVA file. 
tü New virtual machine 


“EEB Select creation type 


2 Select OVF and VMDK files 


How would you like to create a Virtual Machine? 
3 Select storage Š 


4 License agreements 


Create a new virtual machine This option guides you through the process of creating a 
virtual machine from an OVF and VMDK files. 


Deploy a virtual machine from an OVF or OVA file 


Register an existing virtual machine 


3) Click Next and enter a name for your virtual machine. Select or drag/drop the virtual 
sensor image you downloaded in Step 1 - Download Virtualization Image. 


‘New virtual machine - Network. Passive Sensor VM 


V 1Select creation type Select OVF and VMDK files 


2 Select OVF and VMDK files Select the OVF and VMDK files or OVAfor the VM you would like to deploy 


3 Select storage 

4 License agreements 
5 Deployment options 
6 Additional settings 

7 Ready to complete Virtual machine names can contain up to 80 characters and they must be unique within each ESXi instance. 


Enter a name for the virtual machine. 


Network Passive Sensor VM 


X CQ qPS-1.30-11.0va 


Back || Next Finish | Cancel 
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4. Click Next and select the destination datastore for the virtual machine configuration 
files and all of the virtual disks. 


V 1 Select creation type Select storage 
V 2 Select OVF and VMDK files 


Ed 3 Select storage 
4 License agreements - ^ 
x ‘ Persistent Memory 
5 Deployment options J s 


6 Additional settings Select a datastore for the virtual machine's configuration files and all of its' virtual disks. 
7 Ready to complete 


Select the storage type and datastore 


Name v Capacity v Free v Type vw | Thin pro...v Access v 


Datastore-2_5.69 4.31 TB 2.75 TB VMFS6 Supported Single 
datastore1 5.59 42.5 GB 33.71 GB VMFS6 Supported Single 


2items 


| Finish || cancer | 


5. Click Next to go to the Deployment Options page. The OVA file creates a VM with two 
interfaces - Management and Sniffing. 


V 1 Select creation type Deployment options 
V 2 Select OVF and VMDK files 
V 3 Select storage 


v 4 Deployment options 
Network mappings 


5 Ready to complete Management | VM Network 


Select deployment options 


Sniffing Interface ^ My Port Group 


Disk provisioning (&) Thin O Thick 


Power on automatically 


Net || Finisn || came | 


The Management interface is required to connect the virtual appliance to the 
Qualys Cloud Platform. Make sure the Management interface is connected to the pre- 
configured port group having WAN or Internet connectivity. 
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The Sniffing interface is used by the appliance to inspect the traffic. Make sure the 
Sniffing interface is connected to the pre-configured port group having TAP/TUN 
interface. Also make sure that “Promiscuous Mode” is enabled on respective vSwitch and 


port group. 


Following screen shows typical vSwitch topology with port group settings. 


ig My. Port Group 


P Editsetings | ( Refresh 


My. Port Group 


Accessible: 
Virtual machines: 
Virtual switch: 
VLAN ID: 

Active ports: 


* vSwitch topology 


Yes 

1 

EB vSwitchü 
4095 


1 È 


@ My_Port_Group 
VLAN ID: 4095 
» Virtual Machines (1) 
ij Network Passive Senso. 


ma Physical adapters 
g [E vmnic31, 1000 Mbps, Full 


* Security policy 


Allow promiscuous mode 


Allow forged transmits 


Allow MAC changes 


~ NIC teaming policy 
Notify switches 
Policy 
Reverse policy 


Failback 


* Shaping policy 
Enabled 


6. Click Next and review the settings configured earlier. Click Finish and wait for some 


time to complete the virtual appliance deployment using OVA. 


7. Once the deployment is complete, open the virtual appliance console by selecting the 
VM and navigating to Console » Open browser console. Wait while the VM boots up. 
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fi Network_Passive_Sensor-VM 


(Console Bil Monitor 


~ General Information 
+ @ Networking 

+ à VMware Tools 

> EJ Storage 


Notes 


~ Performance summary last hour 


Consumed host CPU /Ready (%) 


| Power off mf Suspend Reset | # Edit | G Refresh | $ Actions 

Network_Passive_Sensor-VM 

Guest OS Red Hat Enterprise Linux 7 (64-bit) 

Compatibility ESXi 6.0 and later (VM version 11) 

VMware Tools No 

CPUs 8 

Memory 16 GB 

~ Hardware Configuration 

No network information + B ceu 
Not installed A Actions. Wl Memory 
1 disk » DB Hard disk 1 
QualysGuard(R) Virtual Passive Scanner Appliance, bulld:qPS- ^ J^ Edit notes > Wi Network adapter 1 


130-1 


@ Consumed host CPU 
@ Consumed host memory. 


@ Ready 


(g9) Aiowaw soy pawnsuog 


12:43 


13:16 


> Ml Network adapter 2 
» [BB Video card 
» ka Others 


cpu 
86 MHz a 


MEMORY 
936 MB 


i STORAGE Ej 


18.56 GB 


8 vCPUS 
1668 

5068 

VM Network (Connected) 
My_Port_Group (Connected) 


8M8 


Additional Hardware 


[> Resource Consumption 
F Consumed host CPU 
Wl Consumed host memory 
Wl Active guest memory 

~ E Storage 

Provisioned 


Uncommitted 


Not-shared 


| Used 


86 MHz 
936 MB 
163 MB 


50GB 

47.55 GB 
18.56 GB 
18.56 GB 


8) There are some network configuration settings (static IP, proxy) you’ll need to set before 
proceeding to the next step. Complete Network Configurations. 


Deployment on Microsoft Hyper-V 
Hyper-V server requirements: Microsoft Hyper-V 2012 R2 or later, 50 GB HDD, 16 GB 


ʻa 


2 


3 


4 


5 


Follow these steps to deploy an image on Hyper-V server: 


Memory, Octa-Core with total 14 GHz dedicated CPU Clock Processor 


Login to your Hyper-V Server and go to Start > Server Manager > Tools > Hyper-V 


Manager. Right-click your Hyper-V host and select New > Virtual Machine. 


For Specify Name and Location, provide the name that will be displayed on Hyper-V 


Manager and select the location where virtual machine will be stored. 


For Specify Generation, select the appropriate generation(recommended - Generation 1) 


for the virtual machine. 


For Assign Memory, provide appropriate memory (RAM) for the virtual machine. 


Minimum recommended RAM is 16384 MB. 


For Configure Networking, select appropriate virtual switch with Internet connectivity 
so that the network adapter on the sensor can use a virtual network for communication 
with Qualys cloud platform. 
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6) For Connect Virtual Hard Disk, select “Use an existing virtual hard disk” and provide the 
location of the .vhdx file (Unzip the zip file downloaded in Step 1 - Download 
Virtualization Image to obtain the virtual hard disk file. As an example, unzip gPS-1.0.0-1- 
vhdx.zip to obtain the virtual hard disk qPS-1.0.0-1-disk1.vhdx). 


7) Click Next and review Summary. Click Finish and your virtual machine is ready. 
Following screen shows the deployment configurations. 


EE New Virtual Machine Wizard 


m Connect Virtual Hard Disk 


A virtual machine requires storage so that you can install an operating system. You can specify the 
storage now or configure it later by modifying the virtual machine's properties. 


O Create a virtual hard disk 


Use this option to create a VHDX dynamically expanding virtual hard disk. 
New Virtual Machine. vhdx 
C: Users Public Documents Hyper-V Virtual Hard Disks 
Size 127 GB (Maximum: 64 TB) 


(6) Use an existing virtual hard disk 


Use this option to attach an existing virtual hard disk, either VHD or VHDX format. 


Location: [E:Xsers \Administrator \Downloads|\qPS-1.0.0-1-vhdx\gPS-1.0.0-1-|| Browse. 


O Attach a virtual hard disk later 


Use this option to skip this step now and attach an existing virtual hard disk later. 


Jum 


8) Select the virtual machine (just created) and navigate to Settings. Change default 
number of virtual processors to 8. 


Ba Settings for Qualys Network Passive Sensor qPS-1.0.0-1 on Hyper-V Server Name — x 


Qualys Network Passive Sensor qPS-1. ~ 


4*4» o0 


& Hardware 


C] Processor 


BP Add Hardware 
ES eros 
Boot from CD 


Key Storage Drive disabled 


E Ml IDE Controller 0 
- Hard Drive 


c BBB IDE Controller 1 


qPS-1.0.0-1-disk 1. vhdx 


You can modify the number of virtual processors based on the number of processors on 
the physical computer. You can also modify other resource control settings. 
Number of virtual processors: 8c 


Resource control 
You can use resource controls to balance resources among virtual machines. 


Virtual machine reserve (percentage): 
Percent of total system resources: 


Virtual machine limit (percentage): 
Percent of total system resources: 


8 als} o |. 


Relative weight: 


© This virtual machine is configured with the following: 


esee cius 13318 MB 


Apply 


Saas] 


11 


Welcome to Qualys Network Passive Sensor 


Get Started 


9) Make sure that “Automatic Stop Action” the VM is set to “Turn off the virtual machine” 


and apply changes. 


Qualys Network Passive Sensor qPS-1.0.0-v | 


Key Storage Drive disabled 
Wil Memory 

8096 MB 
= E] Processor 

8 Virtual processors 
E Bl WE Controller 0 

F aa Hard Drive 
qPS-1.1.0-3-open-disk 1. vhdx 

E Bj WE Controller 1 


LAN-Network-vSwitch 
ğ cov: 


None 


fr) Name 

PS 59 Hyperv 
[^] Integration Services 

Some services offered 
Checkpoints 

Production 
F-| Smart Paging File Location 

C: VrogramData Microsoft Win... 
Fb Automatic Start Action 
Restart if previously running 


c Stop Action 


E Settings for Qualys Network Passive Sensor aPS-1.0.0-1 on Hyper-V Server Name 


14» 0 
F> Automatic Stop Action 
What do you want this virtual machine to do when the physical computer shuts down? 
O Save the virtual machine state 
Hyper-V will reserve disk space equal to the amount of memory used by the virtual 


peri lee E ees oo R crn can ec E OEE EE Oyaa 
computer shuts down. 


© Turn off the virtual machine 


O Shut down the guest operating system 


The integration service that controls shutting down the guest operating system 
must be installed and enabled on the virtual machine. 


10) Navigate to Virtual Switch Manager and create a new virtual network switch > Select 
type of switch as External. 


ga Virtual Switch Manager for NAC-HYPERV-2016 


È Create virtual switch 


What type of virtual switch do you want to create? 


Internal 
Private 


Ža mgmt 
Intel(R) Gigabit 4P 1350-t rNDC #2 
=a PS-Test-Nic2 
Intel(R) Gigabit 4P 1350-t rNDC #3 

a perf_nic4 

Intel(R) Gigabit 4P 1350-t rNDC #4 
Global Network Settings 
lj MAC Address Range 

00-15-5D-6B-38-00 to 00-15-5D-6... 


Create Virtual Switch 


Creates a virtual switch that binds to the physical network adapter so that virtual 
machines can access a physical network. 


Ce Co) EE 
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11) Give a name to the virtual switch, e.g., "test switch". 


from the drop-down menu. 


adapter. 
y . 
14) Click OK. 
ES Virtual Switch Manager for NAC-HYPERV-2016 a x 
A Vetent Sotteees X. Virtual Switch Properties ^ 
aÈ New virtual network switch 
Name: 
test switch 
Notes: 
Intel(R) Gigabit 4P 1350-t rND... 
£& Global Network Settings Connection type 
@ MAC Address Range What do you want to connect this virtual switch to? 
00-15-5D-68-38-00 to 00-15-5D © ext ee 
pum Allow management operating system to share this network adapter 


[O Enable single-root 1/O virtualization (SR-IOV) 
© Internal network 
© Private network 


VLAN ID 


Remove 


@ sR-10v can only be configured when the virtual switch is created. An external 
virtual switch with SR-IOV enabled cannot be converted to an internal or 
Private switch. Y 


[—* —][ emm js 


15) In Powershell, execute the following commands: 


- Set the port feature property to the virtual switch created. 


SportFeature = Get-VMSystemSwitchExtensionPortFeature 
FeatureName "Ethernet Switch Port Security Settings" 


- Configure the port monitor mode. 


SportFeature.SettingData.MonitorMode = 2 


- Use the same switch name as defined earlier 


Add-VMSwitchExtensionPortFeature -ExternalPort 
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12) Select the appropriate external physical NIC interface to connect the virtual switch 


13) Uncheck the option Allow management operating system to share the network 


-SwitchName 
test switch -VMSwitchExtensionFeature $portFeature 
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16) Select the virtual machine and go to Settings. 


17) Go to Add Hardware > Select Network Adapter > Click Add > Click OK to add new 
network adapter in Hyper-V. 
f Settings for ps demo on NAC-HYPERV-2016 


ps_demo vi «ro 


W Add Hardware 


You can use this setting to add devices to your virtual machine. 
Select the devices you want to add and dick the Add button, 


Wi Memory 
8192 MB 
Œ ] Processor 
8 Virtual processors 


Cag] 
B an Horde 


-open-disk 1. vhdx Mincir ae Ore ir one neta adapter You can add additional network 
E MW IE Controller 1 EORR 


[T] m 


18) Select the second Network Adapter tab from the drop-down » Select the newly created 
virtual switch (test switch). 


E Settings for hv 1.3.2-3 on NAC-HYPERV-2016 


hy 1.32-3 v 4» 0 


Q Network Adapter 

WP Add Hardware 

E Bros Specify the configuration of the network adapter or remove the network adapter. 
Boot from CD Virtual switch: 

Q Security test. switch. 


Key Storage Drive disabled 


v 
= 
m Memory VLAN ID 


qPS-1.3.2-3-open-disk 1. vhdx 


Hardware Acceleration o 
Advanced Features 

& cov: To remove the network adapter from this virtual machine, dick Remove. 
None 


Remove | 
cee @ Use a legacy network adapter instead of this network adapter to perform a 
tte Drive network-based 


installation of the quest operating system or when integration 
None ‘services are not installed in the quest operating system. 
& Management 


[oe] | ex || ^» — 
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19) Go to Advanced Features > Select Destination from Mirroring Mode drop-down in Port 


Mirroring Section. 


Boot from CD 


Security 
Key Storage Drive disabled 


1 Virtual processor 
E (BY IDE Controller 0 
E a Hard Drive 
QPS-1.3.2-3-open-disk 1. vhdx 


Ej B Network Adapter 


DHCP guard 

pretending to be DHCP servers. 

[ Enable DHCP guard 

Router guard 

Rouke guard dopa rouke advertucment nd redrecion messages from 
unauthorized virtual machines pretending to be routers, 

[ Enable router advertisement guard 

Protected network 


Move this virtual machine to another duster node if a network disconnection is 


E] Protected network 


Port mirroring 
Port mirroring allows the network traffic of a virtual machine to be monitored by 
copying incoming and outgoing packets and forwarding the copies to another 


virtual machine configured for monitoring. 


NIC Teaming 

You can establish NIC Teaming in the guest operating system to aggregate 
bandwidth and provide redundancy. This is useful if teaming is not configured in 
the operating system, 


Enable this network adapter to be part of a team in the guest operating 
system 


When this option is deared, a team created in the guest operating system will 
lose connectivity if one of the physical network adapters stops working, 


Cox] (os | [m 


20) Power on the VM. 


21) There are some network configuration settings (static IP, proxy) you’ll need to set 


before proceeding to the next step. Complete Network Configurations. 


Step 4 - Register the Virtual Appliance 


1) Open the Virtual Appliance console by selecting the VM and then navigating to Console 
> Open browser console. 


2) Choose the Personalize this scanner option. 


3) Enter your 14 digit personalization code which you generated in Step 2 - Generate 


Personalization Code. 
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4) Click Submit and wait for the confirmation message Appliance registration completed 
successfully. Check that the status on the console is Registered. 


5) Once your appliance successfully registers to the Qualys Cloud Platform, you'll start 
seeing appliance with status as paused. 


Step 5 - Check the Status 


Log in to the Qualys UI and select Network Passive Sensor from the application picker. 
Navigate to the SENSORS tab to view list of sensors in your account and their status. 


Sensors 
E 0 
Active Assets (7days) New Discoveries (24hrs) 
Ves aes 
SENSOR DEPLOY LOCATION ACTIVE ASSETS (1 HOUR) NETWORK UTILIZATION CPU RAM HDD 
zi PS-AutoPhysical Pune 0 0 0 0 0 
Unregistered » 
& PS-AutoVirtual wifi 73 0.0 Gbps/1.0 Gbps 20% 22% A% 
QPS-01G-0100-VM 1.3.2-12 10.113.231.61 / fe80::20¢:29Ff-febb:fd03 
‘Scanning 00:0¢:29:bb:fd:03 
PS-Virtual_deploy wifi 0 0/1.0 Gbps 0 0 0 
QPS-01G-0100-VM 1.3.2112 10.113.231.61 / fe80:20c:29ff-febb:fd03 
00:0c:29:bb:fd:03 


You'll see the status for each appliance in the list: Paused, Scanning or Not Connected. 
If the status is Unregistered, you can view details for the sensor and deregister. 
If the status is Scanning, you can view details and pause scanning. 


If the status is Deregistered, you can view details for the sensor and delete Sensor. 
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Configure Assets 


Network Passive Sensor can see traffic flows between two types of IP addresses. These IP 
addresses can be internal (within your network) or external (outside your network). 


You can configure how you want to categorize your assets discovered by the sensors while 
monitoring traffics flow. All these assets are listed in the Assets tab of Global 
AssetView/CyberSecurity Asset Management. 


Assets can be defined as Internal Assets, Excluded Assets, and External Assets. 


Internal Assets 
To add internal assets, simply go to Configuration > Internal Assets > Add. 


< Internal Assets 


Internal Assets 
Define the IP ranges within your network that you want to monitor. These IP addresses will be individually tracked for traffic analysis. 


The passive sensor senses all the traffic that you have mirrored. However, by defining internal asset ranges, you choose the assets you want to 
monitor and report on. 


A Internal Asset Group/Network 


Name * 


ICS test group 


Include the Following Sensors Select Sensors 


1 SENSOR SELECTED Remove All 
Test. Sensor x 
Do you want to inventory the assets? © 
@ Yes No 
Internal Asset IP Range 
v 


Default IP Ranges 


© 192.168.0.0/16 
© 172.16.0.0/12 
© 10.0.0.0/8 


Type 
DHCP v 


SE EH 
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Here, you'll define the IP ranges within your network you want to monitor. The assets 
discovered for these IP addresses will be individually inventoried and tracked for traffic 
analysis. You can use default IP ranges, IP range tags, or customized IP ranges options to 
define range of internal assets. Select Do you want to inventory the assets check box for 
marking inventoried assets. 


To complete the sensor setup and to start sensing assets you must define Internal Asset 
ranges. The passive sensor senses all the traffic that you have mirrored. However, by 
defining internal asset ranges, you choose the assets you want to monitor and report on. 


1 - Default IP Ranges 
This option defines internal assets discovered within default internal ranges for your 


network. Click Select Sensors to select sensor from the list of sensors for which you want 
to define internal asset. 


Include the Following Sensors Select Sensors 
1 SENSOR SELECTED Remove All 


Test Sensor x 


Do you want to inventory the assets? © 


@ Yes No 
Internal Asset IP Range 


Default IP Ranges v 


C2 192.168.0.0/16 


© 172.16.0.0/12 


© 10.0.0.0/8 


2 - IP-Range Tags 


This option defines internal assets discovered with IP range tags. These are the dynamic 
tags created with ‘IP Address In Range(s)’ rule engine. Click Select Sensors to select sensor 
from the list of sensors for which you want to define internal asset. 


Click Select IP Ranges to select IP tags from the list of tags for which you want to define 
internal asset. 
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Include the Following Sensors 


1 SENSOR SELECTED 


PS-Automation 


Do you want to inventory the assets? G 


9 Yes No 


Internal Asset IP Range 


IP Range Tags 


Include the Following IP Tags 


TAGS IP RANGES 
| re 1 
Type 
DHCP V 


3- Custom IP Ranges 


Select Sensors 


Remove All 


X 


Select IP Ranges 


Get Started 


This option defines internal assets discovered with custom IP ranges. You can provide IP 


ranges for monitoring. Click Select Sensors to select sensor from the li 


which you want to define internal asset. 


Include the Following Sensors 


1 SENSOR SELECTED 


PS-Automation 


Do you want to inventory the assets? © 


e Yes No 


Internal Asset IP Range 


Custom IP Ranges 
IP Ranges * 


10.10.10.0/12 


Type 
DHCP v 


Select Sensors 


Remove All 


x 
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st of sensors for 


Welcome to Qualys Network Passive Sensor 
Get Started 


Excluded Assets 

Here, you'll define the IP ranges or MAC addresses to be excluded from the inventory. The 
assets discovered for these addresses will be masked as Excluded in the traffic summary. 
To add excluded assets, simply go to Configuration > Excluded Assets > Add. 


< Excluded Assets 


Excluded Assets 


Define the IP or MAC addresses to be excluded from the inventory. The assets 
discovered for these addresses will be masked as "Excluded" in traffic summary. 


Name 


Asset Type 
@ IP Ranges MAC Address 


External Assets 


Here, you'll define the external sites you want to monitor. These sites will be reported 
individually for traffic summary however these will not be inventoried like the internal 
assets. 


To add external assets, simply go to Configuration > External Assets > Add. 


< External Assets 


External Assets 


Define the external sites you want to monitor. These sites will be reported 
individually for traffic summary however; these will not be inventoried like the 
internal assets. 


Name 


Details 


e 
o 
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Network Configurations 
Configure Static IP Address 


Network Configurations 


You'll need to complete certain network configuration settings under Set up Network. This 
is where you'll enable and configure the management interface of the appliance. 


These configurations are described: 
Configure Static IP Address 


Proxy Configuration 


Configure Static IP Address 


If the core group to which Management interface is connected has DHCP server, then you 
can view the Management Network Configurations with Show option. If DHCP is not on 
your network, you must enable the Virtual Sensor with a static IP address using the 
STATIC IP option. One of these configurations is required. 


To enable a static IP address, follow these steps: 


1) Go to the Set up Network menu option and press Enter to continue. 


2) Press Space Bar to select Static IP option and choose OK. 

3) Provide parameters for Static IP configuration: 

- IP address - Enter the static IP address. 

- Netmask - Enter the desired netmask value. 

- Gateway - Enter the gateway IP address. 

- DNS1 - Enter the IP address for the primary DNS server. 

- DNS2 - Enter the IP address for the secondary DNS server. This entry is optional. 


4) Choose Submit and press Enter. Wait for some time and you'll see a confirmation 
message for successful configuration of network settings. 
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Network Configurations 
Proxy Configuration 


Proxy Configuration 


If the Virtual Sensor is behind a Proxy server, you need to enable a Proxy configuration 
using the Enable Proxy menu option. Authentication (Basic) of the Virtual Sensor 
connection to your Proxy server can be enabled by configuring the Proxy user and 
password fields. 


The Virtual Sensor uses Secure Sockets Layer (SSL) protocol (HTTPS) to secure its 
connection to the Qualys web application, in a similar way that a web browser does to a 
secure web server. If the Qualys connection must pass through a Proxy server, then you 
must enable the Proxy option on the Virtual Sensor. This configuration re-directs Qualys 
outbound connections through the Proxy server. 


Your Proxy server must be configured to tunnel or pass through the SSL session to the 
Qualys web application. This ensures a secured end-to-end connection. SSL bridging or 
tunnel termination must not be configured in your Proxy server when supporting the 
Virtual Sensor. 


To configure Proxy support, follow these steps: 
Go to the Set up Network menu option. 


Choose Proxy Configuration and press Enter to continue. 


1 
2 
3) Select Enable Proxy and click OK. 
4 


When the Enter the proxy server details prompt appears, provide the proxy server 
parameters: 


- Proxy IP Address - Enter the Proxy server's IP address. 
- Proxy Port - Enter the port number assigned to the Proxy server. 


5) Click Next to select the authentication type from NoAuth, BasicAuth and NTLMAuth. If 
you select authentication type as BasicAuth or NTLMAuth, you need to provide user 
name and password. 


- Proxy User - Enter the user name for Proxy authentication. If authentication is not 
enabled at the Proxy level, leave the entry field blank. 


- Proxy Password - Enter the password for Proxy authentication. If authentication is not 
enabled at the Proxy level, leave the entry field blank. 
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Appendix 


Virtual Network Passive Sensor (PS) Appliance Packet 
Throughput Based on Resources 


The Virtual Network Passive Sensor (PS) appliances auto-scaling capability starts 
automatically at the boot time to calculate how much packet throughput it can handle. 


= 


The delta increase in the throughput depends on the additional dedicated resources made 
available to the appliance. The resources include the CPU clock, the type of CPU, and the 
type of RAM in the VM appliance system. 


To handle continuous traffic, the CPU GHz must be allocated in a dedicated manner. The 
estimated maximum throughput is visible on the sensor details page. The throughput 
may vary depending on the dedicated nature of the resources and the type of traffic 
visible to the sensor. 


Virtual Network Passive Sensor (PS) Throughput Capacity 
Based on Hardware 


The calculation of ThroughPut is directly dependent on the CPU resources attached to the 
VM appliance. However, it is strongly advised to increase memory resources as per your 
requirement. 


With each two additional CPU cores added to the appliance, an additional LB pipe will be 
added, followed by an additional DPI-AEC instance pair entry that will get added in the 
respective DB table. When these different CPU cores are removed, a corresponding 
number of LB pipes are also reduced, and DPI-AEC instance pair DB entries are also be 
removed. 


Comparison Chart 
Utilize hardware at the best possible level to leverage the Qualys (PS) appliance effectively. 


Capacity (MBps) RAM (GB) CPU Core 
500 8 4 

750 12 6 

1000 16 8 

1250 18 10 

1500 20 12 

1750 22 14 

2000 24 16 


CPU core specification: Intel(R) Xeon(R) CPU @ 2.30GHz 
RAM specification: RAM DDR4 2133 
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Note: In the above chart, for an appliance expected to process more than 1000Mbps 
traffic, a minimum of 2 GB RAM is mandatory with the addition of every 2 CPU cores. 
However, we strongly recommend to provide 4GB RAM with the addition of every 2 CPU 
cores to ensure smooth functionality of Qualys NPS appliances. 


Virtualization Platform: VMware ESXi 6.7.0 


The data is generated under the best-conditioned environment, and the result might vary 
according to your setup. 


Throughput capacity per 2 core is also dependent on CPU frequency as follows: 


- If CPU Frequency is less than 1.5GHz, then per DPI instance, throughput value will be 
150MBps (<1.5GHz = 150MBps). 


- If CPU Frequency is between 1.5GHz - 2.0GHz, then per DPI instance, throughput value 
will be 200MBps (1.5GHz - 2.0GHz = 200MBps). 


- If CPU Frequency is more than 2.0GHz, then per DPI instance, throughput value will be 
250MBps (>=2.0GHz = 250MBps). 


How to Modify Hardware Resources for VM Deployed on the ESXi Server 


4 


1. Go to System Shutdown option and press Enter to shutdown the appliance via console. 


2. Click Edit. 


24 


3. Increase the CPU cores and Memory as per your throughput requirements and click 
Save to save your configuration. 


©) Edit settings - PS. Demo (ESXi 6.0 virtual machine) 


(Qvae Toots is not installed in this virtual machine. VMware Tools allows detailed guest information to be displayed as well as allowing you to perform operations on the guest OS, e.g. graceful 
shutdown, reboot, ete. You should install VMware Tools. ifj Actions 


* General Information * Hardware Configuration 
» @ Networking 
+ i VMware Tools 


* EI Storage 


How to Modify Hardware Resources for VM Deployed on the HyperV 
Server 


1. Follow Step 1 same as mentioned above. 


2. Select the virtual machine and go to Settings. Modify the GPU cores and Memory as per 
your throughput requirements > Click Apply to apply the changes > Click OK to save your 
configuration. 
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E Settings for ps demo on NAC-HYPERV-2016 


You can modify the number of virtual processors based on the number of processors on 
| the physical computer. You can also modify other resource control settings. 


Number of virtual processors: | 16/34 
Resource control 
You can use resource controls to balance resources among virtual machines. 
Virtual machine reserve (percentage): 
Percent of total system resources: 


Virtual machine imit (percentage): 
Percent of total system resources: 


8 |ë 


Relative weight: 


E Settings for ps demo on NAC-HYPERV-2016 = x 
ps_demo yl) dP |do 
A Hardware ^ [ m memory 
WP Add Hardware 
Bw Specify the amount of memory that this virtual machine can use. 
Boot from CD RAM: ve 
@ Security 
Key Storage Drive disabled Dynamic Memory 
WI Memory You can allow the amount of memory available to this virtual machine to change 
20000 MB dynamically within the range you set. 
[OJ Processor Enable Dynami 
8 Virtual processors o 
E ll WE Controller o Mrama RAM: 512 MB 
Maygrum RAM: 1048576 ms 
Specfy the tage of memory that Hyper-V should try to reserve as a buffer 


Hyper-V uses the percentage and the current demand for memory to determine an 


arount of memory for the buffer 
Menor buffer [m9] « 

Memory weight 

‘Specify how to prioritize the availabilty of memory for this virtual machine. 
compared to other virtual machines on this computer. 

tow y High 


o (Se Se 
virtual machines are running and available memory is low. 


[E] Integration Services 
Some services offered 


Production " 


3. Power ON the VM. 
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Adding/Removing Sniffing Interfaces from Virtual Appliance 


Network Passive Sensor (PS) now supports an aggregated/bonded sniffing interface. A 
virtual interface aggregates multiple physical interfaces allow the appliance to add one or 
more sniffing interfaces. 


How to Add Sniffing Interface to the PS Appliance Deployed on the ESXi 
Server 


1. Go to the System Shutdown option and press Enter to shutdown the appliance via 
console. 
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3. Click Add Network Adapter for adding new sniffing interface. 


L Edit settings - PS, Demo (ESXi 6.0 virtual machine) 


iR Add hard disk M Add network adapter Ad 


aoua 
+ MB Memory À 

» GB Hard aisk + À 

» IB SCS! Controlier 0 
+ WII Network Adapter 1 
» BI Network Adapter 2 


» B veo cara 


4. Select appropriate port group > Select the adapter type VMXNET 3 > Click Save to save 
your configuration. 


.. Edit settings - PS_Demo (ESXi 6.0 virtual machine} 
» Wi Memory fh 16364 
» Hard ásk 1 
^ IB SCSI Controller 0 
9 Bl Network Adapter 1 


» BI Network Adapter 2 


= WI New Network Adapter 


5. Power on the VM. 
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How to Remove Sniffing Interface to the PS Appliance Deployed on the 
ESXi Server 


1. Follow the Step 1 and Step 2 same as mentioned above. 


2. Remove the newly added interface and click Save to save the configuration. 


© Edit settings - PS. Demo (ESXi 6.0 virtual machine) 
[Wis Radars | vw Opnons 
E Add hard disk WE Add network adapter Add other device 
"cru Y 


+ Mi Memory À 
+ Harddisk t À 
MBB SCSI Controler 0 
> IM Network Adapter 1 
» WI Network Adapter 2 
> WI Network Adapter 3 


» ll video cara 


3. Power on the VM. 


How to add Sniffing Interface to the PS Appliance Deployed on the 
HyperV Server 


1. Go to the System Shutdown option and press Enter to shutdown the appliance via 
console. 


(BM PS. Demo ia gi iss paos QD. 


Note: A virtual switch that views the mirrored network traffic should be connected to the 
newly created interface. 


Click here to follow steps 10 to 20 in the Deployment on Microsoft Hyper-V section to 
create a virtual switch and add a new sniffing interface to it. 
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How to Remove Sniffing Interface to the PS Appliance Deployed on the 
HyperV Server 


1. Go to the System Shutdown option and press Enter to shutdown the appliance via 
console. 


2. Select the virtual machine and go to Settings > Select the Network Adapter tab that 


needs to be removed > Click Remove > Click Apply > Click OK to remove the network 
adapter. 


Settings for ps demo on NAC-HYPERV-2016 


ps.demo v >j 


& Hardware ^ | Q Network Adapter 
E gros Specify the configuration of the network adapter or remove the network adapter. 
Boot from CD Virtual switch: 
Searity (new. sniff. suitch E 
Key Storage Drive disabled 
VLAN ID 
8192 MB [ Enable virtual LAN identification 
= [] Processor 22 " - 
S kaipa The VLAN identifier specifies the virtual LAN that this virtual machine wil use for all 
va network communications through this network adapter. 
E B WE Controller o 
Œ aa Hard Drive 2 


QPS-1.3.0-7-open-disk 1. vhdx 


© DVD Drive 
None 
Spedfy how this network adapter utilizes network bandwidth. Both Minimum 
El SCSI Controller Bandwidth and Maximum Bandwidth are measured in Megabits per second, 
= Ẹ Network Adapter 
mgmt Minimum bandwidth: 0| Mbps 
E Bj Network ] 
test switch Maximum bandwidth: 0| Mops 
Hi) Üj Network Adapter | @ Tokave the minimum or maximum unrestricted, specify 0 as the value 
new sniff. suitch | 
q une bs To remove the network adapter from this virtual machine, dick Remove. 
ione. 
Ẹ coma [see ] 
None 
o Use a legacy network adapter instead of this network adapter to perform a 
Fd Diskette Drive network-based instalation of the guest operating system or when integration 
None services are not installed in the guest operating system. 
& Management 


[ru] Name 
ps demo 
[E] Integration Services 


« ][ ew ] ANE 
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f Settings for ps demo on NAC-HYPERV-2016 = x 


ps_demo v 4> 0 


& Hardware ^ 
B Add Hardware 
E gros 


@ searity 
WI Memory 
= [] Processor 


= Il 1DE Controller o 
F aa Hard Drive 


E IM IDE Controller 1 
DVD Drive 


ill SCSI Controller 
*| Ü Network Adapter 


#1 Q Network Adapter 
* Y Network Adapter 
evello 
ğ cov: 
$i com2 


[z] Diskette Drive 


& Management 
I] Name 


Integration Services 


e 


Classification of Assets in Passive Sensor 


Passive sensor classifies IPs as internal and external for the purpose of asset inventory and 
traffic monitoring. 


The area labelled “Internal” in the diagram below is the universe of IP ranges that exists 
within an enterprise and therefore worth building an asset inventory. Everything outside 
this range is "External" and not worth inventorying. 


From a traffic monitoring perspective, NPS tracks flows between assets in the inventoried 
IP range by 4-tuple. NPS does not track individual IPs in the "External" range and attributes 
all external IPs to a single asset named “External”. 
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Following is a detailed explanation of how NPS treats each class of IPs. 


Classification of Assets 


Internal 192.168.0.0/16 


Non-inventory 


Inventory 


Exclude IP/MAC 


Monitor External IP/Fadn 


External 
Everything else is marked as "External" 


What is Inventory 
NPS uses IP addresses in this range to 


a) Create assets and inventory various asset attributes such as hostname, MAC address, 
protocol specific attributes, etc. 


b) Track traffic flows to/from these IPs to other all other IPs outside this range. 
Assets with IPs in this range are listed under the CSAM inventory. 


NPS aggregates the traffic flows from an IP in the internal range to another IP in the 
internal range by 4-tuple of Source IP, Destination IP, Destination port, and TCP or UCP 
protocol. Appliance reports traffic flows at an interval of 5 minutes for new assets and at 
30 minutes for asset updates. 


The appliance aggregates multiple flows of the same tuple into one flow when reporting it 
in the 5 or 30-minutes reporting interval. 


For example, if Asset A1 initiated HTTP flow to a webserver A2 multiple times within the 
30 minutes interval, NPS aggregates these flows and reports a single HTTP flow from A1 to 
A2 at reporting time. 
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How to Configure Inventoried IP Range 

To configure an IP range/subnet as internal inventoried, select the appliance from the 
Passive Sensor Module listing and navigate to its details to edit the internal asset 
configuration. Here add the IP range and set the radio button under "Do you want to 
inventory these assets?” to Yes. 


< Internal Assets 


Internal Assets 
Define the IP ranges within your network that you want to monitor. These IP addresses will be individually tracked for traffic analysis. 


The passive sensor senses all the traffic that you have mirrored. However, by defining internal asset ranges, you choose the assets you want to 
monitor and report on 


A Internal Asset Group/Network 


Name * 


Subnet-A 
Include the Following Sensors Select Sensors 
1 SENSOR SELECTED Remove All 
NPS-A x 


Do you want to inventory the assets? © 


@ Yes No 


Internal Asset IP Range 


Custom IP Ranges 


IP Ranges * 


10.10.10.0/24 + 


Type 
DHCP d 


Cancel Save 


What is Non-Inventory 

NPS uses IP addresses in this range only for tracking traffic flows to other IPs in the 
inventory range and NOT for inventory purpose. Assets in this IP range do not show in the 
CSAM inventory. However, traffic flows to/from these assets are listed in the Network tab 
of CSAM and under the inventoried asset-centric traffic tab of CSAM. 
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How to Configure Non-Inventoried IP Ranges 


To configure an IP range/subnet as internal non-inventoried, select the appliance from the 
Passive Sensor Module listing and navigate to its details to edit the internal asset 
configuration. Here add the IP range and set the radio button under "Do you want to 
inventory these assets?” to No. 


< Internal Assets 


Internal Assets 
Define the IP ranges within your network that you want to monitor. These IP addresses will be individually tracked for traffic analysis. 


The passive sensor senses all the traffic that you have mirrored. However, by defining internal asset ranges, you choose the assets you want to 
monitor and report on. 


A Internal Asset Group/Network 


Name * 
Subnet-B 
Include the Following Sensors Select Sensors 
1 SENSOR SELECTED Remove All 
NPS-A e 


Do you want to inventory the assets? © 
O Yes @ No 


Internal Asset IP Range 


| Custom IP Ranges 


IP Ranges * 


| 10.20.20.0/24 | 


Type 
| DHCP sa 


To review the configuration, check the last column “Inventoried” 


Configuration Internal Assets ESOM E E 
| 
E | 
o | Actions (0) v E 1-130f13 (d D] C, & 
NAME IP RANGE SENSOR TYPE INVENTORIED | 
aun 40.10.10.0/24 NPS-B DHCP . 
Subnet-A " 
10.10.10.0/24 MESA DHCP 
Subnet B 10.20.20.0124 NPS-A DHR 
Subnet-B 10,20.20.0/24 : NPS-B DHCP 


What is Excluded 


If there is a need to not see some sensitive or confidential assets listed in the inventory, 
then the passive sensor allows the user to specify configuring IPs and/or MACs in the 
Excluded range. 
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NPS excludes gathering all inventory information of the IPs/MACs added in this 
category/group. These assets do not show in the CSAM asset listing. In the traffic flows 
to/from these assets as seen in the traffic listing, the asset is seen as Excluded without any 
IP-address. 


How to Configure Excluded IPs/MACs 


To configure an IP / MAC as excluded, select the appliance from the Passive Sensor Module 
listing and navigate to its details to edit the Excluded Assets configuration. 


Network Passive Sensor 


Configuration 


Traffic summary representation for Excluded Assets: 


What is Monitored External 


NPS does not track IPs outside the inventoried and non-inventoried range and attributes 
them to one asset named External as explained earlier. However, the user may want to 
monitor traffic flows from internal assets to certain external IPs/FQDNs. For example, 
monitor the volume of traffic from internal assets to social media sites such as Facebook, 
Twitter, etc. NPS provides a “Monitored External” configuration and uses FQDNs or IPs 
Specified therein, to track traffic flows destined to an asset created per group. These assets 
do not show in the CSAM asset listing. If Monitor External FODNS or IPs are configured, 
then traffic flows of Monitor External assets will be tracked with the actual IP address. i.e., 
Traffic flows between inventoried assets & Monitor External assets will be shown with the 
actual IP address of Monitor External IP's/FQDNS assets in the traffic listing of inventoried 
assets. 


How to Configure Monitor External FQDNs or IPs 

Select the appliance from the Passive Sensor Module listing and navigate to its details to 
edit the External Assets configuration to add FQDN / IP in a group. The following 
screenshots shows 2 groups, each one with a unique name. NPS will track traffic flows 
going to one of the 2 assets that represents each group. 
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Configuration 


Internal Assets Excluded Assets 


INGRESS EGRESS 


10.59M8 996.19 KB 


Mar 02 2022 19.01 
Mar 02 2022 19.01 
Mar 02 2022 19:00 External 


Mar 02 2022 18:57 / | 98.137.11.165 
Mar 02 2022 18:55 / ness 
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Best Practices 


Best Practices 


This section contains certain best practices to follow when configuring the internal assets 
in NPS appliances. 


1. Avoid configuring overlapping subnets as internal (inventoried) assets on more than 
one sensor appliance 

In deployments that have more than one passive network sensor appliances registered 
with the same Qualys cloud account, it is recommended that the configuration of internal 
inventory network ranges should not overlap between the sensors. 


To explain this better, let us consider a sample deployment that has 2 sensors deployed in 
different locations registered to the same account. 


Branch-A Branch. B 


The enterprise network in the above scenario has 2 branches A and B. There are 2 sensors 
deployed one each in branch A and B. For the enterprise network subnets A and B together 
make up the range on IPs for internal assets that have to be inventoried. Assets A.1, A.2, 
and A.3 belong to subnet A and B.1, B.2, and B.3 belong to subnet B. 


Now consider a case where there is intra branch traffic. Each of the sensors in branch A 
and B will "see" traffic flows from/to assets in subnets A to B. 


For example, if A.1 were to initiate a flow to B.1, both sensors would sense this flow. If both 
sensors are configured with subnet A and B as the internal (inventoried) range, then both 
sensors will report assets A.1 and B.1 causing the same assets to be reported twice to 
Qualys cloud. This causes additional workload on the cloud services and this may result in 
delayed or missed updates of the assets or traffic flows as seen in the asset or traffic 
listing. 


This workload multiplies if there are flows from each one of the assets in subnet A to B.1, 
such as A.1 to B.1, A.2 to Bl, and A.3 to B.1, 
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Best Practices 


So, adding the same subnet into multiple sensors is inefficient and not a recommended 
configuration. 


Desired/Recommended configuration: Detect assets in location specific subnets and 
provision a “non-inventoried” asset category 

A recommended configuration to avoid duplicate processing on the cloud is to configure 
each sensor with a unique subnet as its inventoried range and add the other subnets 
internal to the organization as its internal non-inventoried range. 


So in the above example, the sensor deployed in Branch A would only consider IPs of 
subnet A as the internal IPs and treat everything else as external. This means even subnet 
B which belongs to the universe on internal IPs of the organization would be considered 
external to the sensor in branch A. However, to track the inter-branch traffic flows so to 
know which asset in subnet A was talking to which asset in subnet B and vice-versa, it is 
recommended to add subnet B as internal (non-inventoried) range in sensor of location A. 
The passive sensor uses the non-inventoried range or IP to create assets whose attributes 
are not collected just as in the case of External assets but with a difference that its IP is 
recorded. 


Similarly for the sensor in location B, configure subnet B as its internal inventoried range 
and subnet A as its internal non-inventoried range. 


With the above configuration sensor in location A would report A.1, A.2, and A.3 as 
internal inventoried assets and B.1 as the non-inventoried assets. Similarly, the sensor in 
location B would report B.1 as its internal inventoried asset and A.1, A.2, and A.3 as its 
non-inventoried asset. 


This configuration saves the PS services from the burden of additional processing. This 
also conserves the WAN bandwidth needed by sensors to report metadata to Qualys cloud 
as only one sensor reports the inventoried assets. 


To summarize, the configuration of both passive sensors is as follows: 


Passive Sensor Appliance Location Internal (inventoried) Internal (non-inventoried) 
Branch A Subnet A Subnet B 
Branch B Subnet B Subnet A 


2. Avoid mirroring replicated IPs to a single appliance 


In topologies, more common in OT networks, multiple smaller networks can have the 
same IP subnet. Each such replicated IP subnets has to be mirrored to a separate NPS 
appliance. Avoid mirroring multiple such subnets to one appliance. 


For example, consider a site with a yard having many cranes and each crane is a small 
network having exactly the same type of devices with the same IPs configured. 


38 


Best Practices 


The overlapping IP address space in each crane can be handled by the Network feature 
which the customer can subscribe to. This feature allows the same subscription to 
uniquely identify IP within a network. 


The Network feature is already supported in VM and PC modules and is part of the PS 
1.4.0.0 release. NPS uses the network feature by de-duplicating passively sensed 
Unmanaged IPs/assets with managed assets belonging to the same Network. NPS 
exercises the network-based merge to de-duplicate assets only when it has neither MAC 
nor hostname information to uniquely identify the assets for de-duplication. 


So here is what the configuration of PS appliance in each crane would look like 
Crane #1 

- Add Crane#1 IP range R1 in Asset Group AG1 in Network N1 in VM module 

- Run policy compliance scan for the asset group AG1 in N1in VM module 

- Add NPS1 to Network N1 and configure NPS 1 to sense IP range R1in N1 
Crane #2 


- Add Crane#2 IP range R2 in Asset Group AG2 in Network N2 in VM modules 


- Run policy compliance scan for the asset group AG2 in N2 in the VM module 


- Add NPS2 to Network N2 and configure NPS 2 to sense IP range R2in N2 
3. Add NATed IPs in the excluded list 


NPS does not yet support the capability to detect NATed devices. All assets behind NAT 
devices get masqueraded by the NATed IP and if PS sees this NATed IP, it will associate 
meta-data/attributes of all such devices to a single asset which has the Nated IP, making 
the asset very large, and these slow down the processing pipeline on the cloud. So, it is 
recommended to add such IPs as internal assets to be excluded. 


4. Do not feed multiple copies of the same packet to the sensor 


Itis important that the TAPs or SPAN ports that feed the traffic copy to PS do not contain 
duplicate copies of the same packet. This will result in PS reporting incorrect volumes of 
traffic flow. 


5. Backup and restore of PS VM image 


Itis not recommended to backup NPS VM images to be restored later. In case the VM fails 
to boot due to corruption, contact Qualys support instead of re-deploying the PS VM. The 
NPS services on Qualys cloud account retains the sensor configuration and applies it to 
the appliance on reboot. 
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